@juanzelli
Hey juanzelli - thanks for sharing this post. Somehow i missed it the first time reading through the forum. I just tried that also,
System->Update->Update Settings and just clicking Save without making any other changes.
now it shows packages and when i select 13 from the console,
9c1ba1da-8cf4-45be-968c-6c378b51e8d0-image.png
Funny thing is i have rebooted this a few times since the initial upgrade, for other issues i am having. I was just about to do a factory reset, and thought, well, let me try that.... Thank you again!

@anthonys I found the wierd problrm if you click the update version there the plus and one says snapshot.

If it click on snapshot on update it will disable packages as there no two version in the update number as I am on Eufi plus version.

@diyhouse ah thank you for getting back to me. I wasn't able to get it working, but did find this,
udpbroadcastrelay for pfsense . It looks like it was released for 2.6 , but now is only available on 2.7 so I was thinking of giving that a shot when it comes around .
https://redmine.pfsense.org/issues/10818

Currently AVAHI does everything I want except allow me to play from VLC to my Chromecast across vlan or from something like jwplayer's cast function . For some reason it also doesn't work to use VLC render on Chromecast even on the same vlan.

Literally everything else works, cast tab, cast screen, YouTube case from a phone , mirror cast phone screen etc. Spotify works, printer works etc.

What I don't do is Sonos.

Well crap! I edited every cert I found with a X3 reference and it keeps coming back. It now only exists in the backup directory where I saved the unedited certs.

The strange thing is that not only is it still appearing in the FreeRadius chain, but also in the haproxy shared-frontend.pem.

What am I missing?

Maybe it's in the config.xml?

I made a copy of my config from /conf/config.xml at /root/backup

xmllint --xpath "//*/crt" /root/backup/config.xml > cert.base64 split -p "\n" ./cert.base64

Here is where I lost the will to script stuff out. All the certs are base64 encoded and there's no base64 tool installed and I was struggling with using openssl so I went back to basics.

cat xaa | perl -MMIME::Base64=decode_base64 -e 'print decode_base64 join"",<>' > xaa.b64 cat xab | perl -MMIME::Base64=decode_base64 -e 'print decode_base64 join"",<>' > xab.b64 cat xac ...

Now to see if any contain the dreaded and undying X3 cert

openssl crl2pkcs7 -nocrl -certfile /root/backup/xaa.b64 | openssl pkcs7 -print_certs -noout | grep -i x3 openssl crl2pkcs7 -nocrl -certfile /root/backup/xab.b64 | openssl pkcs7 -print_certs -noout | grep -i x3 openssl crl2pkcs7 -nocrl -certfile /root/backup/xac.b64...

2 of these files actually contain the damn X3 cert.

xaj.b64 contains it, so I just searched the config.xml for the contents of the xaj file and found it here:

<ca> <refid>61563c252dbc8</refid> <descr><![CDATA[Acmecert: O=Internet Security Research Group, CN=ISRG Root X1, C=US]]></descr> <crt>LS0tLS1CRUdJ...S0tLS0=</crt> <serial>0</serial> </ca>

There was also another match I traced back to:

<ca> <refid>61578b1bd6592</refid> <descr><![CDATA[Acmecert: O=(STAGING) Internet Security Research Group, CN=(STAGING) Pretend Pear X1, C=US]]></descr> <crt>LS0tL...tLQ==</crt> <serial>0</serial> </ca>

I grabbed the serial number of the certs with X3 using this tool and then manually went through my cert manager looking for anything that matches. I found them in my cert manager and deleted them and nothing has changed. FreeRadius and HAProxy arestill somehow finding the X3 cert. I even extracted all the certs again from the updated config.xml, now with fewer certs and yet it's still appearing.

@yeahmagnets said in Restored /usr/local/etc/raddb/users file, users don't show up:

how is it possible?

You - us - need more details.

The 'system works :

[23.01-RELEASE][admin@pfSense.near.by]/usr/local/pkg: radtest x x 192.168.2.1 0 radius Sent Access-Request Id 84 from 0.0.0.0:37887 to 192.168.2.1:1812 length 71 User-Name = "x" User-Password = "a" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "a" Received Access-Accept Id 84 from 192.168.2.1:1812 to 192.168.2.1:37887 length 57 Acct-Interim-Interval = 600 WISPr-Redirection-URL = "https://www.google.com/" [23.01-RELEASE][admin@pfSense.near.by]/usr/local/pkg: radtest x b 192.168.2.1 0 radius Sent Access-Request Id 32 from 0.0.0.0:43449 to 192.168.2.1:1812 length 71 User-Name = "x" User-Password = "b" NAS-IP-Address = 192.168.1.1 NAS-Port = 0 Message-Authenticator = 0x00 Cleartext-Password = "b" Received Access-Reject Id 32 from 192.168.2.1:1812 to 192.168.2.1:43449 length 20 (0) -: Expected Access-Accept got Access-Reject

Use x has password 'a' - and not password 'b'

Stop Freeradius in the GUI.
Open another console SSH access, and run

radiusd -X

Now you have details.

In the first console SSH do you test again.

Check the logs.
I'm pretty sure that it is a config issue.
It's already 'hard' to get radius answering "Access-Accept" ;)

@yeahmagnets said in Restored /usr/local/etc/raddb/users file, users don't show up:

we managed to save

You only need to take care of one little file : the config.xml as everything is in there.

Go here Diagnostics > Backup & Restore > Backup & Restore for a manual save.
I'm also using a PC (server) that auto logs in, and retrieves that file.
I'm also using Services > Auto Configuration Backup > Settings for the off-site backup.

@jonathanlee said in System Patches package version 2.2.x:

@steveits but for new OS updates do we remove before PfSense updates?

No, you do not need to do anything in this package before upgrading. Just leave it as-is.

In the majority of cases, what you are updating to will contain all of the patches available to previous versions. If you had custom patches that are not a part of pfSense software you might need to reapply those after upgrading, but otherwise you don't need to touch anything in the package before or after upgrading.

Steve,
Thanks for your help. I did not have any option to choose. During the initial install it performed an update automatically. I don't recall seeing any options for versions.

I just double checked my version here is what I have running:
22.05.1-releease (arm64)
built tues dec 6, 15:43.34 UTC 2022
FreeBSD 12.3-stable

I do now see a update available for 23.01. This was not showing yesterday.

Thanks in advanced Joe

I just followed these instructions:

https://benheater.com/integrating-pfsense-with-wazuh/

and I have the agent installed on pfSense 2.60 CE, with events registering in my Wazuh dashboard. So it works!

I installed directly from freeBSD ports. Conflict with openLDAP.

oh i forgot to tell that the packages are available before but when want to use it, it cant be use.

@krumx Hello,

This doesn't help much at the moment however, they do have an open ticket for this issue. Just not sure when it will be fixed but at least we can track it here and update as soon as possible:

https://redmine.pfsense.org/issues/13985

@iftvio

Hello!

The propriety of multiple CNs in a cert notwithstanding, and not knowing exactly which version you are running or the intent of the original design goals with regards to handling multiple CNs, a quick code review of your suggested fix would indicate that it may not work in all situations.

Among the possible issues:

$is_wildcard will be set based on the last CN checked in the array. str_replace will return an array when the subject ($cert_cn) parameter is an array, which will cause subsequent calls to substr that reference $cert_cn_regex to fail.

A quick hack might be to simply set $cert_cn to the first/last CN in the array, when present.

Of course, any code changes should be fully unit tested.

John

Thanks steve! I'll check them out!